Author

Topic: Wallet stealer in MouseCoin-qt.exe (Read 1001 times)

newbie
Activity: 36
Merit: 0
March 14, 2014, 05:47:30 AM
#8
so even scanning with virus total would not have revealed this?


This one had a few detects in VirusTotal but I think one problem is that there always seem to be a few false-positive detections on all Qt wallets, so people are being trained to ignore VirusTotal results for new altcoins even when they are true-positive.

It's just downright crazy to run a program downloaded from this forum on a machine where your other important files (i.e. wallets) are stored. If you want to beat everyone else to jump on the latest coin or whatever, use a separate VM for each wallet until its code is shown to be trustworthy. And if for some reason it doesn't run in a VM, that's probably a good sign it's malware.
legendary
Activity: 2100
Merit: 1167
MY RED TRUST LEFT BY SCUMBAGS - READ MY SIG
March 13, 2014, 02:48:31 PM
#7
so even scanning with virus total would not have revealed this?

sr. member
Activity: 433
Merit: 260
March 13, 2014, 02:23:22 PM
#6
Great research, substratum, thanks.

So it's not that someone hacked a server and replaced legitimate cryptocoin-qt with a trojan-infected one, this is an operation by the authors of these altcoins themselves.

I wonder how successful they've been in stealing money this way...
legendary
Activity: 1512
Merit: 1000
March 13, 2014, 10:49:14 AM
#5
Nice find Smiley.
full member
Activity: 167
Merit: 100
March 13, 2014, 09:41:52 AM
#4
Well, that settles it then..... Mousecoin is deader than a drowned rat.
newbie
Activity: 36
Merit: 0
March 12, 2014, 09:27:22 PM
#3
Just verified that the Win32 JunnonCoin-Qt client posted in the thread I linked to above is also the same malware.
newbie
Activity: 36
Merit: 0
March 12, 2014, 09:09:34 PM
#2
A friend of mine who mines scrypt coins, but who otherwise isn't that geeky, discovered an oddly named hidden .zip file in his C: root directory (2014Äê2ÔÂ13ÈÕ18ʱ45·Ö.zip - he doesn't have cyrillic script installed). In it are contained the wallet.dat files for all his cryptocoins (renamed to Bitcoin.dat, Litecoin.dat, etc).

The filename isn't Russian, it's a date/time in Chinese. The trojan sends the wallet files to 23.239.111.68 on TCP port 12730. That IP is assigned to a "Wei Cheng":

Code:
[support.gorillaservers.com]
%rwhois V-1.0,V-1.5:00090h:00 support.gorillaservers.com (Ubersmith RWhois Server V-2.4.0)
autharea=23.239.96.0/19
xautharea=23.239.96.0/19
network:Class-Name:network
network:Auth-Area:23.239.96.0/19
network:ID:NET-2827.23.239.111.64/27
network:Network-Name:23.239.111.64/27
network:IP-Network:23.239.111.64/27
network:IP-Network-Block:23.239.111.64 - 23.239.111.95
network:Org-Name:cheng, wei

That IP was also listed as a static node in the QT configuration file for JunnonCoin, a Chinese altcoin:

https://bitcointalksearch.org/topic/giveawaydoge-and-junnoncoin-413045

I'm going to go ahead and say this is a Chinese wallet-stealing operation, not Russian.
sr. member
Activity: 433
Merit: 260
March 12, 2014, 01:35:45 PM
#1
A friend of mine who mines scrypt coins, but who otherwise isn't that geeky, discovered an oddly named hidden .zip file in his C: root directory (2014Äê2ÔÂ13ÈÕ18ʱ45·Ö.zip - he doesn't have cyrillic script installed). In it are contained the wallet.dat files for all his cryptocoins (renamed to Bitcoin.dat, Litecoin.dat, etc).

Checking the file's last modified date and looking at the Prefetch directory, I determined that this file was created after running mousecoin-qt.exe or Mouse.exe (contained in the downloaded MouseCoin-Qt1.0.0.0_Win.rar). He downloaded that from the official site on 13 Feb 2014, linked to from the Bitcointalk announcement thread. When opened, mousecoin-qt.exe generates a hidden VBS file (tem.vbs), but this file in itself is innocent, cointaining just these four lines:

Code:
 Dim fso
  Set fso = CreateObject("Scripting.FileSystemObject")
  fso.DeleteFile("C:\Program Files\MouseCoin-Qt1.0.0.0_Win\mousecoin-qt.exe")
  fso.DeleteFile("C:\Program Files\MouseCoin-Qt1.0.0.0_Win\tem.vbs")

So the wallet-stealing code is contained in mousecoin-qt.exe itself, and the VBS file is used to delete itself. I haven't gone so far as to check where the .zip file with the wallets is sent, but if anyone is interested let me know.

As of today, the "official" MouseCoin sites (mousecoin.net and mouseco.in) return a 404, and the announcement thread has been renamed to "[ANN]New Coin MouseCoin ,yep,i m Jerry !", and some Russian users appear to have posted over the last several weeks for the purpose of bumping the thread.

TL;DR: MouseCoin steals all your cryptocoin wallets! Had my friend not password-protected his wallets, they'd have all been wiped instantaneously.
Jump to: